Adding sigma rules related to Restic for Data Exfiltration and CleanUpLoader(Oyster Backdoor)
CTI-Driven opened this issue · comments
title: Detect the Use of Restic Backup too for Data Exfiltration
id: 12345678-1234-1234-1234-123456789012
description: |
Restic is an open-source backup tool that supports backing up data to various storage types, including local directories, SFTP servers, and cloud services like Amazon S3, Google Cloud Storage, and Microsoft Azure. Recently, it has been observed in use by the BlackCat Ransomware group.
status: experimental
references:
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
- https://restic.net/
author: Nounou Mbeiri
date: 2024/10/15
tags: - attack.exfiltration
- attack.t1048
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:- " -r"
- " :/"
- " init"
selection2:
CommandLine|contains|all: - " --repo"
- " :/"
- " init"
selection3:
CommandLine|contains: - " backup"
- " init"
parameter1:
CommandLine|contains|all: - " -r"
- "sftp:"
parameter2:
CommandLine|contains|all: - " -r"
- " rest:http"
parameter3:
CommandLine|contains|all: - " -r"
- " s3:s3."
- "amazonaws"
parameter4:
CommandLine|contains|all: - " -r"
- " s3:http"
parameter5:
CommandLine|contains|all: - " -r"
- " swift:"
parameter6:
CommandLine|contains|all: - " -r"
- " b2:"
parameter7:
CommandLine|contains|all: - " -r"
- " azure:"
parameter8:
CommandLine|contains|all: - " -r"
- " gs:"
parameter9:
CommandLine|contains|all: - " -r"
- " rclone:"
condition: ((selection1 or selection2) or (selection3 and 1 of parameter*))
falsepositives:
- Legitimate use of Restic for backup purposes
level: high
title: Detect Rundll32 and Schtasks Command Events Linked to CleanUpLoader
id: 12345678-1234-5678-1234-567812345678
status: experimental
description: Detects process creation events involving rundll32.exe and schtasks.exe commands associated with CleanUpLoader(Oyster Backdoor) activity on Windows systems.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains|all:
- 'rundll32.exe'
- '%s'
- 'Test'
selection2:
CommandLine|contains:
- 'rundll32.exe'
selection21:
CommandLine|contains:
- 'CleanUp.dll'
- 'CleanUp30.dll'
selection3:
CommandLine|contains|all:
- 'schtasks.exe'
- '/create'
- 'ClearMngs'
- 'rundll32'
- '.dll'
- 'Test'
selection4:
CommandLine|contains|all:
- 'powershell.exe'
- 'schtasks.exe'
- 'CreateShortcut'
- '.lnk'
- 'rundll32'
- '.dll'
- 'Test'
condition: selection1 or (selection2 and selection21) or selection3 or selection4
falsepositives:
- Scripts or automation tools that include similar command patterns
level: high
title: Detect DLL File Creation Events Linked to CleanUpLoader
id: 87654321-4321-8765-4321-876543218765
status: experimental
description: Detects the creation of specific DLL files in Temp or Downloads folders, potentially linked to CleanUpLoader(Oyster Backdoor) activity.
references:
- https://www.reliaquest.com/blog/5-malware-variants-you-should-know/
- https://go.recordedfuture.com/hubfs/reports/cta-2024-1009.pdf
- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-execution-of-oyster-backdoor/
- https://app.any.run/tasks/aa15e125-38b8-44d8-add9-54e21e6813bb
author: Nounou Mbeiri
date: 2024/10/15
tags:
- attack.discovery
- attack.command_and_control
- attack.exfiltration
- attack.t1040
- attack.t1041
- attack.t1071
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'CleanUp.dll'
- 'CleanUp30.dll'
TargetFilename|contains:
- '\Temp'
condition: selection
falsepositives:
- Legitimate software installations or updates that use these CleanUp.dll
level: medium